With the 2024 United States Presidential Election right around the corner, we talk to an unnamed guest who has worked on cybersecurity for political campaigns in the United States since 2004. We recorded this in late August 2024.

Links:

• Active Measures by Thomas Rid: https://us.macmillan.com/books/9780374287269/activemeasures
• https://en.wikipedia.org/wiki/Operation_Aurora
• Google APP announcement, October 2017: https://www.wired.com/story/google-advanced-protection-locks-down-accounts/
• https://linux.die.net/man/1/xxd
• Adobe Reader October 2016 Security Update: https://helpx.adobe.com/security/products/acrobat/apsb16-33.html

---

This rough transcript has not been edited and may have errors.

Deirdre: Hello! Welcome to Security, Cryptography, Whatever. I’m Deirdre.

David: I’m David.

Thomas: I’m trying to figure out what this broken Yubikey I’m looking at is for. There’s something I can’t log into right now, and I don’t know what it is.

Deirdre: Okay, that’s Thomas. And we have a special guest today. How are you?

Guest: Hello. Hello. Thank you very much for having me on the podcast. This is going to be fun.

Deirdre: Absolutely. Do you work on campaign security or election security?

Guest: Wow, that is a wacky way to sit down and say it. I have done us presidential election campaign security since 2004. Technically. I’ve worked in 2000 for Al Gore’s campaign. I was a volunteer. It was easy to volunteer for Al Gore’s campaign because I went to college in Nashville, Tennessee, and his headquarters was in Nashville. My life is such that I just sort of fall into jobs and it’s fine. So I would sit down and say I focus on campaign security within the election sort of industry.

I don’t know. It’s hard to understand if you don’t actually work within the system. So I can probably explain a little bit about how the system works. So there are basically three groups who work in the election space. And those three groups, because of campaign finance laws, Ir’s laws, and other laws, they can’t talk to each other. So for lack of a better, better term, there’s what is called the election infrastructure isac community. These are the folks who are literally in something called the EI ISAC. These are like secretaries of states.

These are voting machine companies. These are entities that have equities within that space. And unless you are in that space, very specifically, you cannot play in their pool, which is totally fine. That’s great. There’s the middle tier. These are the campaigns and candidates themselves.

Deirdre: Why are they the middle tier? And why is ISAC the top?

Guest: Well, I wouldn’t sit down. Well, it’s not like a top. I mean, in my head, the reason why they’re the top tier, because the election infrastructure folks, they truly represent government. Okay? They’re the folks who are the, they’re the judges, they’re the referees that are the people who are setting up how elections, the mechanics of the elections work. And then you have the players who are in the field, you know, doing the election soccer football thing. And so those are the campaigns, those are the committees. Those are basically them, that middle tier. They are under either section 527, which is quite literally the carve out for presidential campaigns and the related committees whose tax code I do not actually remember, which is a little embarrassing.

And then last but not least, you have this third group, which are non campaign democracy organizations who are 501, organizations that have stakes in the campaign. These tend to be what kids call super PACs. These are issue based educational outfits. Sometimes they’re 501 C three s, sometimes they’re 501 C six s, which are social, and they’re advocating for a position and not a candidate. And yeah, those are the three. And because of laws, none of these groups can talk with each other. But as a scepter, because in the security space, we like to talk about, do bad guys look at you as all the same thing? Yes, the bad guys look at all three of those groups as kind of the same sets of targets. You’ll have the same sets of threat actors hitting up those guys, all of those teams kind of at the same time. And because it’s an election cycle, you can time it to your watch. It’s the end of August, so it’s almost September, so cue the Russians.

Deirdre: Okay. All right.

Guest: Cue the Chinese.

Deirdre: Can you tell us a little bit about kind of the threat landscape when the calendar ticks over to end of summer and you’re just sort of like, oh, look, here come your fancy bears.

Guest: And your, all the pandas and all the kittens.

Deirdre: Yeah, I don’t know. I don’t know what the animal avatars are for. Things that aren’t chinese or russian, but screaming eagle. Screaming eagle. Oh, that’s a good one. Who is that? Another class crowdstrike name. Okay, can you tell us a little bit, like what signals you all you campaign and election security sort of minders of the threat actor landscape start to see around this time you can almost set your watch to it. What do you start seeing? And you’re like, oh, yeah, it’s that time of the year.

Guest: Yeah. So it’s kind of useful to like, that’s a good question, and I’m going to answer it in sort of a securitous way. The thing is, is that in the beginning, like Aka in 2004 when I first started working in campaigns, you could very clearly see the fact that the threat actors were traditional foreign intelligence officers who sit down and say, hmm, I need to know how this works because we have some outcome that we’re trying to go in favor of. Let us do our intelligence work the way that we normally do it, which is we’re going to go after human intelligence. We’re going to go after people because these people are key decision makers. And what we need to know is what information key decision makers are looking at and seeing to make their decisions so that we can either, one, understand what their decisions are and how to counter it. Two, how we can possibly modify those data points to be able to alter the trajectory. And then three, how do we make a better space for us, the foreign intelligence officer, for where we want to throw them into? The way to think about it is, it’s weird, right? In the cold war in the United States, and this, again, I’m going way off path.

In the cold war in the United States, we had a defense theory that’s called game theory. And game theory is. Oh, are you saying it’s time for some game theory? But like, I mean, obviously you guys know what game theory is, but like, that’s that. But that is just one defense sort of hierarchy and thought process. The Chinese use something that they call, it’s like defensive. It’s like defensive push or something like that. The idea is the Chinese will alter the new space that you are receiving to be able to tailor the landscape to be more favorable to their operations. The russian version of this is called a reflexive control.

It’s kind of like judo. Basically, what you do is you hit an opponent and you cause that opponent to reflexively go into some reaction space, and you’re trying to control what possible outcomes that they’re doing. I am not making up any of this stuff. If you want to read more about it, I suggest reading active measures by Thomas Ridd.

Deirdre: Oh, that’s a good book.

Guest: I would recommend going to read a whole bunch of stuff from seissitive about China and their stuff. I just dabble and I read what I have to because of work within that realm of an intelligence officer trying to understand what’s going on in the space. They’re again trying to gather human intelligence, understanding where decisions are and are not coming. But first and foremost, they go, huh. We’re watching a lot of CNN. How do campaigns work? Because if you’re an outside, if you’re an outsider looking in, how about this one? If you’re an american and you look at a US election system, it’s ununderstandable, it’s unintelligible. Right? It’s. You said it’s like the Olympics.

Every four years, the Olympics happen. In the business, we call it E day. And e day happens on a cycle. So there’s the election year. The year after election year is actually a very shallow, fallow year. There’s only a governor of California. There’s a governor in New Jersey race, and there’s governor in Virginia. The Virginia governor’s race is the last wild west in the United States that’s left it in the Virginia governor’s race.

It’s the last state that allows you to do soft money. So if ExxonMobil wants to spend a billion dollars on you, they can just give you a billion dollars and it’s totally fine. You find a lot of wackiness happening in Virginia governor’s race.

Deirdre: Wow.

Guest: And then the year after is midterms. And midterms mean one third of the Senate is up for election and 100% of the House is up for election. The year before the show. Well, it’s the year before the show and we’re tooling up for the show. A presidential campaign is unlike any other company you’ve ever heard of or worked for. The job is that you have three people decide that we’re going to have a mascot and this mascot, we’re going to get a new job. So we’re going to incorporate a for profit company that runs 100% on donations. And in 18 months, if we’re good at our job, we’re going to go from three of us to like 6700 or 7000 people.

And then like on Wednesday, we’re all fired.

Deirdre: It’s like the worst startup you’ve ever worked for, except it’s also the best.

Guest: It’s not one startup. It’s like eight startups.

Deirdre: Yeah.

Guest: So as a for instance in, let’s go ahead and say, 2016, the Hillary Clinton campaign, there was a medium sized tech startup. There was a medium size boutique communications firm. There was a small publishing firm. There was a travel agency. There was an event planning company. There is a very detailed and rather huge finance department. Theres an advanced team. I dont even know.

I dont think theres a business analog to an advanced team.

Deirdre: Logistics? Yeah, I don’t, I mean, even logistics.

Guest: Doesn’T quite say that because, like, you can do logistics from home, you don’t do logistics from Iowa, but every four years a bunch of people just go to Iowa and New Hampshire and trundle around there. And so, like, working at the presidential campaign, it’s a wild ride. Right? Like in 2015, I started, I was, I think I was employee number. Like, I think I was like 14 on the tech team by the time we ended, I think we had 80 or 90. And some of those folks that we were working with, I thought I had been working with them for like years because that’s another thing that happens on campaign. It’s an effect I call the campaign time dilation effect. Yeah. Every week feels like a year.

Deirdre: Yeah.

Guest: Like towards the end, it gets harrowing how much stuff, stuff gets compacted into individual days, especially in October. Yeah. And so again, to where you’re asking, we need to understand, if I’m a foreign intelligence officer, I need to understand how these elections work. Watching the news, reading the news, it doesn’t seem to make any sense. So let me go ahead and try to get real aggressive and real aggro to go see what campaigns are up to. And they try and they do. And a lot of the information is public information. That’s first and foremost.

So they don’t have to break in. Please stop breaking in. And two, the information that people have, it tends to be the intelligence part of it is absolutely 100% useless after we’re done with it, because it’s things like, here’s a marking analysis of where we should do television ad buys.

Deirdre: Yeah.

Guest: Once we do those ad buys that morning, we don’t care.

Deirdre: Yeah, it’s useless.

Guest: That info is absolutely useless. Well, certainly to opponents. And that’s the other part of the campaign. I should really explain that one, too. In the timing of a campaign, there’s basically two major phases of a campaign. Well, I guess three. So there’s a primary election, there’s a general election. They have different legal meanings because you can raise two different pots of money for the two different elections.

The current limit is like 2750 bucks per election. So combined, you can give like 52 or 50, I don’t know, do math. Like 27, 50 times two, you can donate that in a year.

Deirdre: 54, 84, 40.

Guest: But that 54, 80 is just like one pool of money that you could give. Like the candidates in the committees have teamed together because they’ve said, well, you can donate 27, 50 per election, per campaign. So what if we bundled all the elections together, sort of like the mortgage crisis, we’re just going to take all these campaigns and bundle them all together. So you can just donate a whole bunch of money all at once.

David: Triple A rated campaigns.

Deirdre: Yeah.

Guest: And that’s what happens. You have these things that they called joint committees, aggregate committees, coordinated campaigns, things like this. And it’s, one, it’s important because fundraising is important because the real phases in the election, besides the primary and the general is the fundraising part. So the two phases in the campaign, in my head is there’s a fundraise portion and then there’s the tactics portion. The fundraising portion is kind of easy to understand. Hello, please give us money. Hello, it’s Barack Obama. I’m in your inbox that asks you for $5.

Deirdre: Use a non shitty payment processor and Pii handler, and you’re good to go.

Guest: Right? Yeah. And we’re basically raising money hard. Like, really, really hard up through basically September ish. It’s not to sit down and say, there’s not fundraising happening after September. There’s absolutely 1000% fundraising that’s happening after September. But September, August, right around now, is when the money spigot really turns on. And all of a sudden, the campaign starts going into tactics mode. And the tactics mode is get votes, clock votes, talk to voters, communicate with voters, make sure they have a plan to vote, if they have a plan to vote, present them options on how to vote, and then make sure they please go out and vote.

Deirdre: And then early voting starts, like within two or three weeks, right?

Guest: It’s like two weeks. Yeah, yeah, it’s happening. And. And these are money, money, money. Yeah, money, money, money. Votes, votes, votes. Please, please, please and thank you. And then you have just sort of the, sort of atmosphere of the campaign in what a lot of people see is they see what we call earned media hits and paid media hits.

Paid media hits are really easy to understand. These are advertisements that we’ve paid for and they go on television. Earned media hits are when the campaign is able to get on air for no money. It turns out the 24 hours news cycle is like Taylor made for this in 2016, airing Trump rallies unbroken for hours upon hours upon hours. That’s just bajillions of dollars.

Deirdre: Like infinite free media.

Guest: In free media. In earned media hits.

Deirdre: Yeah, yeah.

Guest: And a lot of those earned media hits are to define and shape the candidates and the campaign to discuss and refine issues. There’s some. Some mudslinging that happens. You know, it varies between campaigns, but the real mudslinging happens in other organizations because folks don’t want to be tied, their hands tied to that.

Deirdre: Are these the third category we talked about, these PACs and advocacy groups and things like that?

Guest: Some paCs, some advocacy groups. I’m not going to sit down and paint a brush because there are many good democracy groups within the, these 501s. Everyone’s just taking advantage of the tax laws as they’re written because there is no comprehensive federal law around elections. All elections are done at the local level. And this is the big problem that the EI ISAC folks deal with. Yep, yep.

Deirdre: But, yeah. Okay. So, like, given that kind of calendar, like, around this time of, you know, t minus three months of e day, it sounds like you’re seeing signals, like in the wind, in the chatter, so they start messing around. So like, what’s, what does your radar look like and what kind of things do you see popping up on your radar that, like, yup, okay, that’s, it’s starting now. Like batting down the hatches in the past.

Guest: I don’t know. I’ll tell you what, my favorite leading indicator, the best ttp that I have for a north korean threat actor to go ahead and start doing stuff. Did they launch a nuke? Did they test the nuke in 6 hours? I guarantee you they start doing a hardcore phishing test across as many folks as they can, because what they’re trying to do is they’re trying to pick up any chatter as a reaction to their test. It happens exactly like clockwork. You can set your watch to it. I literally did. It was like, oh, this is happening. Oh, we should go deal with that.

The threats to the campaigns themselves is you end up having several sets of folks we have in the policy space. You’ll have folks who are in the policy team. Policy team. It sounds like their job is to sit down and come up with policy and put good words down into paper and do things. While that is 1000% true, policy is also tasked with, and probably their most important job that they’re tasked with is vetting speeches to make sure that the talking points within the speech, that’s what we talked about, that’s what we’re doing. We’re cool with it. The way that these policy groups work is they tend to work by basically whatsapping each other and signaling each other. And back in the day, emailing each other.

It was pretty common for just these huge giant chains of emails going between very important person that you’ve definitely heard of in the media and other very important person that you’ve definitely heard about in the media, and important person whose name you recognize. And they’re just emailing each other, just ideas and thoughts and stuff. If a bad guy can get a toehold into that, that’s perfect. Those are all the thought leaders that they want. These are the key decision makers and people who are giving the right sets of inputs to the right sets of people. We would like to go mess with them if that’s the type of thing that we would like to mess with. If we’re the type of a threat actor that wants to sit down and say, cause a different outcome in an election, maybe what we’re gonna try to do is do some hack and leak operations. Maybe we’re going for some damage? What damage can we do? And they are opportunistic.

Whenever they find something, it’s almost always like, hey, I found a thing. So it’s like, ha ha, here’s a problem. How do I make it the worst problem you’ve ever seen? Yeah.

Deirdre: So besides a hack and leak, what are they able to do if they say they got toe hold on these sort of email conversations, either because a staffer was in the loop and they popped the staffers account or anything like that? Like what? Are they able to, like blackmail, or are they able to kind of like, send kind of signals elsewhere in a way that’s not like a hack and leak sort of thing, like a WikiLeaks sort of campaign?

Guest: Well, I’ve only worked for one team, and so I don’t know what’s happening on the other side. But the things that you’re saying, yes, all of that has definitely happened in the past, going back to like the 1950s, not with, but there have been sort of individual influence operations that have happened where we’re just trying to compromise humans. It turns into just regular human intelligence type of work. The advantage with sort of digital tools and digital communication means is the toolbox that you have is now just much wider. Things that you will definitely see, though, is that threat actors at the nation state level, they seem to have different teams. There’s an A team, these are the kids who can definitely code, and they can definitely write polished code and full chain exploits and amazing tools. And then at the bottom you have the intern, and they’re kind of bad, but their task is LinkedIn and WhatsApp.

Deirdre: Which is very valuable to actually just be just scouring random shit that gets accidentally posted to LinkedIn and you figure out some random crap, or you hop into a large WhatsApp group that you probably weren’t supposed to be allowed into, or anything like that. That’s valuable even if you can’t code multilevel, zero day exploit.

Guest: Yeah, no. LinkedIn is the strangest thing to me, because in the most american of ways, it is a personal account, but it’s about work, but it’s not work. Only.

Deirdre: America, America, we love to work. Our lives are, work is our life.

Guest: So our work life balance is all messed up on LinkedIn. And by mining LinkedIn, you can get pretty far to go find folks. And I definitely found threat actors 1000% mining LinkedIn, trying to like, set up meetings. Please. Here’s a PDF.

Deirdre: It’s fun.

David: So that’s probably like somewhat newer. Like you mentioned, the 2004 campaign. So like, what, what does cybersecurity for campaign in 2004, 2008 look like compared to, say, 2016, 2020? I think, you know, cybersecurity is a lot more top of mind in the 2016 campaign than it was for campaigns prior to that, at least in the general populace. So how has, how have things kind of changed over the year? And what. What did it even look like in 2004?

Guest: So in 2004, stripe didn’t exist. No. We had to implement our own payment processor.

Deirdre: Oh, God.

Guest: It was written in something called Perl.

Deirdre: I remember Perl.

Guest: We used Mason as a framework. We had this little bank. Name them. We had a small bank. It was a bank of a nation. And we asked them because we were worried about the nomination night, because we knew we were going to get a flood of online donations. But, like, hey, how many donations? How many payments can this thing process? It doesn’t seem to be very stable, like this payment processor that we’re using at this top bank. And so I asked the question, hey, how many transactions can you do per second? And it took them two weeks, and they finally get back to us, and they go, you can do.

We guarantee you can do four transactions a minute. I was like, no. And he’s like, no, no, no. That’s what you can do. We guarantee that you can do four transactions per minute. I was like, what does Amazon do? He’s like, oh, they batch them. I was like, can you. We are not allowed to batch these trans, these donations because there’s a magic set of words that happens on the nomination night, and you can always hear the magic style words.

The magic word is, I accept your nomination to be president of the United States. That marks the end of the primary and the beginning of the general election. But donations up to that night count towards the primary. And because all of a sudden, there was this deadline, we asked lawyers, because I don’t do anything that the lawyers don’t tell us to do because I’m smart. And they said, well, you can take donations up to midnight eastern time because Kerry’s giving his talk here. And so midnight here? I was like, what about, what if that was midnight Pacific? And he’s like, wait, what? That’s like, three extra hours. I was like, exactly. Like, what about Guam? And he’s like, what?

Deirdre: It’s like submitting a paper territory.

Guest: What about the US? Like, Guam. Guam, I think, is the farthest out I can get. He’s like, is that on the date line? I was like, I think it’s just before. He’s like, I want it to be Guam. Can you please make it Guam? And he like, he’s like, that’s a very interesting question. No.

Deirdre: Good. Yes, very good question. I’m very glad that you tried to push it as far as you could get it to go.

Guest: The boss came back and the boss was like, hey, listen, midnight west coast, that seems like a pretty good compromise, because otherwise, Guam. Or not even Guam, Hawaii. Hawaii is a full on state. Midnight, Hawaii. That’s like a thing. Yeah. I try to, like, look at the Bering Islands to figure out in Alaska. I was like, how far in the time zone does that go?

Deirdre: Is it further west than Hawaii? If it is, then let’s do Alaska.

Guest: Anyways, while we were doing all of that stuff, I’ll tell you the type of threat actors we saw. I saw $90,000 in ten cent transactions.

Deirdre: Trying to flood you, spam you, knock you off.

Guest: I said, hey, boss, do you want me to return these donations? And he looks at me and he goes, what do you mean? I was like, they’re $90,000 worth of ten cent donations. He’s like, are you kidding? How many donation nations is that? It’s like, you moved a decimal place two places. No. Yeah, it turns out works. So, hooray. We can handle the loan. We’re good. But it turns out Carter’s figured out that this is a great way to go test their pile of credit card numbers that they wanted to go do.

We already put in some controls because in the us elections, non us individuals cannot donate into the campaign. The way that we’ve technically implemented this, because we’re technologists, is we rely on the credit cardinal, the credit card issuer, to give us the data that tells us what’s going on. And encoded within the credit card is all this weird information I didn’t realize was there. But it will tell you what country the credit card was issued in. It will tell you what denomination money the credit card uses by default. And it’s got zip. And then there’s some fun crypto mathematic, which is like crayon and rubber band crypto math. But it’s fine.

It works to do the verifications. And so we were already turning down non us cards, but there was a weird outlier, which was, I think it was Turkey. Like, in Turkey, you could have a Turkish card that was processing in US dollars that had a US zip code because of mail. So, like, all the checks would like, yeah, yeah. Go through. And I was like, eh. And so, like, we had to do a couple extra checks. I was like, yeah, I found the cards.

I found the. I found the donations. I don’t have the credit card numbers because I didn’t have the credit card numbers. I was like, I can refund. Then he’s like, do it, do it, do it, do it. And I was like, what do you want me to do about this, boss? He’s like, what do you think? I was like, I think you’re going to tell me to raise the limit. And these are people who have illegal. Who have other people’s credit cards, and they found a great way to not commit mail fraud to test a credit card number.

And if we raise the limit to $10, they’re just going to donate $10, and the problem is going to be way, way, way worse than the FEC report. And he’s like, oh, humped. Well, raise it to a dollar and keep watching. I was like, okay. And so, like, I built a graph to just stare at donations, which turns out that’s my entire life, staring at a graph of donations coming in. It’s a really good leading indicator for me. We can tell if our payment processor is crashed because all of a sudden, the donations. Flat line.

Deirdre: Yeah.

Guest: If there’s some sort of funny business, like, anytime someone does a chargeback attack, we can tell because the graph should monotonically increase. It should never, ever go down.

Deirdre: Yeah. So this is not per day or per hour or whatever. This is literally, how much money have we processed for the whole thing?

Guest: It’s really a lazy graph, I have to tell you.

Deirdre: I mean, it’s kind of nice because you can see the history of patterns. It’s not just literally, like, what is my rate of income or whatever processing per.

Guest: Obviously, I take derivatives of those curves as well. But, like, at the end of the day, it’s really easy to see the graph, like, slightly do a change in reflection rather than, like, staring at the positive and negatives of an acceleration graph, because, like. Because, like, when I tried doing that with the. With the positive. With the acceleration graph, the boss was like, what? That graph hurts my head. I don’t want to see it. Okay. Yeah, that.

Yeah, that makes sense.

David: Okay, so payment processing, credit card fraud. At some point, phishing, like, becomes center of the story. I feel like by 2016.

Guest: Yeah.

David: And so was that around then, or is that a somewhat new development?

Guest: Phishing had been happening all throughout, like, 2000. 820, twelve. There was a lot of phishing that was happening then. But can I talk about. There was. There were some successes that the bad guys had in twelve that were very real on both sides of the aisle. Romney campaign, in the Obama campaign got popped by chinese threat actors.

Deirdre: China was having the ball in, like, the era, dude.

Guest: They went hard. They went hard. But the difference in the operations was that a lot of the chinese tooling is automated. They’re really built for. Okay, click this thing and run this windows executable. Do the thing. Here’s a windows executable. Go, go, go.

As campaigns started maturing different and different, and Apple existed, a lot of the more senior people started just switching to Apple computers and a lot of the sort of problems, especially for that sweet window of time between 2010 to, like 2014, there was like a sweet window of time where, like, there were kind of not many Apple O’days out in the wild. It was like, it was calm and nice and like, my suggestion was like, buy an iPhone, have a MacBook Pro, and we’re kind of pretty okay.

Deirdre: Pretty okay?

Guest: Like, your EDR isn’t doing what you think it’s doing. So, like, it’s pretty okay. Yeah. But in 2016 campaign fishing with Buck Wild, I had been hired in the campaign, like, 2015, September 2015, and I had come up with a plan to protect what’s coming into the campaign, what’s going out from the campaign, and protecting the principles of the campaign, because that’s it. That’s real. Like, you protect the people. You protect the stuff coming in, protect the stuff going out.

Deirdre: That’s the way.

Guest: But to that end, I was always, and I continue to mostly worry about personal accounts. It is the strangest thing to me today. If you work for a company, we can do all kinds of stuff for you. We can do amazing amounts of stuff for you security wise. But if I am just with my Gmail account, I’m just at, I guess, my own personal recognizances. Whatever.

David: Individual responsibilities.

Guest: Individual responsibilities, right. Like, app didn’t exist at the time. There was. Ubiquis did exist, but the two factor auctions, the ecosystem was pretty bad at the time. The biggest pain in the butt, of course, with the QR TOTP passwords was backing up those TOTP passwords because that was a nightmare. The usability wasn’t quite there. But I was very concerned, and I was watching through this, and I said that we should probably convince all of our principals, all the high level senior officials, 1000% across the board, everyone. You need to have at least some sort of multi factor authentication on your works, but also your personals.

I went a step further and argued that we should do all this on our banks and just, just everywhere that I could possibly get us into. Let us do those bits of basics, because this campaign isn’t going to exist in 18 months. We’re a ghost town in 18 months. The only thing that matters is the people that are here now. And I had made my face known around the campaign because I have a dog, and my dog was like the informal mascot around the campaign. And then one day it happened. I think it was either February or March, the Russians started doing their first sets of phishing emails, and they hit high and low, and they were very, very, very targeted. Again, these are how you could tell differences between different nation state actors.

In this particular case, they would hit senior campaign officials down. Like, they go from senior officials to their assistance, like, legitimately their assistance, and then down the line, like, just like, down the reporting line. How would they know how to do this, the FEC report? So when the bad guys start doing their thing, I. Within 15 minutes of them starting their campaign, I had a campaign team members walk up to me and go, I got a really weird email. Can you check it out? I was like, yeah, I’m in. And I checked it out. It was a garbage phishing link, and it had a bit ly link. I was like, cool, give me this bit ly link.

Let me put a plus sign at the end of the thing. Let me hit the go button, and it will tell you meta information about the link. Primary thing that was important was they were using a bitly account because they were using the API to create these links, and so they had to do it from an account. And so then you could take the username of the account and then you could iterate on all of their things. And so I wrote this. Honestly, this garbage, just potato level python scriptures. Scrape bitly every ten minutes. Hell yeah.

And just like, tell me what’s going on, because it’s bit ly. It would also tell you how often someone quit. And I was like, I don’t love this, but this is your security team.

David: That finally has metrics.

Guest: Yeah, right?

Deirdre: I was like, hey, this is good.

Guest: This is good, this is good. And, like, we would sit and we’d watch this account, and, like, they started. They start. Cause, like, they were using basically three different bit ly accounts and they were just iterating through them. And, like, I could watch all three of them. And at one point in August of 2016, Bitly stopped my ability to publicly scrape that djin point.

Deirdre: You’re the malicious actor.

Guest: Vaguely. I never found out why. I vaguely assumed someone in law enforcement was like, yo, I want to know more about what’s going on here. And they’re just like, we’re shutting this whole thing down.

Deirdre: Okay.

Guest: And, like, I got. I got. Oh, no. I want to say it’s August, but, like, probably, in actuality, it was probably October. Campaign time dilation effect. I don’t actually remember when anything happened. We were watching things happen when a high level principal got an email. I walked over to their assistant and said, hi, hey, do me a favor.

Go into boss’s email, because I know you have access to their account, and just delete this email. I really don’t want to just delete it. It’s cool. And while we’re talking, boss is on the phone with it, and he’s saying, hey, I got this email from google saying to change my password. What should I do? And it goes, it’s from google. It sounds like a good idea, boss.

Deirdre: And he clicked the link in the email.

Guest: The bad guys were only in the account for a very short period of time. That is a piece of specific that I don’t think I can share exactly how long. But they weren’t there for a long time because, again, we had eyes on. Yeah, all of that damage was from that very short period of time. And that was brutal. And by the way, in my estimation, as I was saying, nation states have different tiers of teams. Yeah, this was probably their b team. I mean, this was like b teamwork because, again, the Bitly league and all this other stuff like this, like, one level above intern, I consider there to be about.

There are three distinct, different waves of attacks that hit us in 2016. And they all have sort of, like, time features. And weirdly, they’re broken up by the Olympics. So, like, a team hit us before the Olympics, and then they were just doing a bunch of stuff. They’re emailing a bunch of things, and then all of a sudden, August hits up and it’s the Olympics. And that, like, terrifying moment happens as a security analyst happens, which is all of a sudden, your bad guy stops targeting you.

Deirdre: Yeah. Like, and you’re just like, oh, no.

Guest: But he’s still sending emails. Like, they’re still sending stuff.

Deirdre: Oh, wait.

Guest: But, like, all of a sudden, no one on our team is the ones on the receiving end. And we’re just like, oh, this is bad. Oh, what did they get?

Deirdre: Did they succeed?

Guest: They’re done with us. Like, pit in my heart, feeling in my head. I feel like I spiraled for, like, three or four days, my friend. And coworker is like, oh, you were pissed off for like, 20 minutes, it turns out. I don’t know why this particular threat actor. During the, like, right before and during the Olympics, they started only targeting Olympic committee doping doctors and testing companies.

Deirdre: It was the strangest thing.

Guest: They went really hard against these.

David: Like, suddenly they had a reprioritization at.

Guest: Work because I would google some of these email addresses. Like this. A doctor. This is like a college. Like, what is this? I don’t understand what I’m looking at. Like, this target list is strange.

Deirdre: Yeah.

Guest: And then also, like. Like a light bulb, which is Olympics, dummy. I was like, oh, yeah. Oh, this is that first time that the Russians had to play under, like, the RoC flag and not like, the actual russian flags because of all the doping.

Deirdre: Yeah, they were mad.

Guest: Yeah, they were super duper mad. Then, like, after that, there was a. Another wave, which was, I think, to me, this is the. This is their a team. And their a team was cute. They never broke into any of our systems, but they worked really. They got really close. They got scary close.

And so, like, again, heavy knock on what? They did not break into any of our campaign resource technology. They did get into the DNC. Yeah. And that was pretty rough. We had to do IR on that issue and it was pretty long. Ir. Again, I am happy to report that today those issues do not exist because all of those problems are gone. Cause the DNC has taken security extraordinarily seriously post.

And I mean, even during, like, they were. Because DC, the only thing we do is overcorrect. And, like, thankfully, the folks that they’ve hired up, they’ve managed to, like, steer the ship in, like, a good direction and, like, keep the eyes on the prize. Hell, yeah. And I like that. I really, like, shout out to Bob and Steve. Cause, like, they’re good dudes. Then there is what I call s tier.

Deirdre: Like, s tier.

Guest: Oh, super s tier.

Deirdre: Cool.

Guest: Like, they were hardcore.

David: We’re big in the tier lists on this.

Guest: They were super hardcore. S tier was a phishing email. Okay. Coming from not owned infrastructure, coming from the app, from the Google Play store.

Deirdre: Oh, God.

Guest: And it was. It was amazing. It was from the Play store and it said, hello, we’ve deemed that you should install Google scanner on your account. And it’s like, it’s got a rainbow g. And all this stuff you clicked on the thing, it takes you to the app store.

Deirdre: Oh, my God.

Guest: And I was just like, whatever the fuck this is, is bad. I reach out to a couple folks that I know over there. I was just like, take this off right now. And one, figure out what it’s doing and two, give me a copy.

Deirdre: Yeah.

Guest: And they’re like, Tim, we can’t give you a copy but it is in a hazmat. It is legitimately bad. I was like, go on. And they’re like I don’t know, how much is this? I think Google actually released most of this cool. In a report. So it would attach your account and it was an Oauth to cred to your account and just tapped into all your stuff and just covered up everything else and shuttled it out to some server on Yandex.

Deirdre: Oh my glory.

David: I’m surprised we don’t see more of this because this is like the universal phishing bypass, right? Like it’s terrifying. But like we say, phishing is solved.

Guest: No, Oauth, I go around a lot.

David: Saying like Oauth two, like install Ub keys, but Oauth two, like this is tough. Cause you are still authenticating to the real identity provider when you do something like this.

Guest: Yeah. And it was like, Dave, you’re absolutely right. I am shocked. I don’t hear about these attacks more. I’ve seen other folks do something like this trying to tip into OAuth creds, but this was one where it came straight from the app store and I was just like, that’s bad. This is bad in all shapes and forms. I immediately recognized that as an Oauth two attack. And I was just like, I don’t know why I never thought of this.

Thomas: The original phishing mail comes from the app store, right? When you’re in an app, like you’ve installed an app, it’s going to mint a credit for the Oauth two. Perfect. That used to be a low quality bug on Pentests was finding a system somewhere that would let you send an email and it’d be like, okay, that’s Sevenfo. And it probably is still sevenfold a lot of places. But if you can find that bug somewhere in the play store where you can send an attacker controlled email, that’s obviously pretty rough.

Guest: Yeah, and like, by the way, they only sent out, the target list was like only top tier. And I was just like, oh, oh.

Deirdre: So they were keeping it quiet too.

Guest: And then like the s tier team, they also like when that didn’t work, I believe, because again, you never know, right? That’s, that’s, that’s the worst part of Baudor jobs. You never really know. You have good feelings, but you never know. But I feel like at the time we were low chance, maybe. Hopefully. Someone forwarded me an email with this wild PDF, and they’re like, hey, Tim, this PDF won’t open, and my computer is acting weird. I was like, cool, give me your. Fuck.

Give me your laptop. And I just turned the thing off as I go to it and get a new one. And they’re like, but? I was like, but nothing. Everything you’re doing is on the cloud, dude. If it’s not, you’re not getting it today. Go get a new laptop right now.

Deirdre: Is there a shredder nearby?

Guest: It’s with a beast bowl bat. Yeah. I pop open the malware using my favorite tool, which is XXD because Yolo live off the land, right? And, like, object dump. And I’m just looking at a fat packed binary, and this was a wild binary. Like, this was a PDF that had multiple operating system executables for multiple mobile operating systems, multiple desktop operating systems. This was the one that was gonna work, and it was all magically encapsulated in that garbage PDF file. Because PDF’s are garbage. Yeah, they’re just absolute garbage.

Like, hey, here’s a memory address that we just go to, and then we’d run an interpreter on it. Okay.

Deirdre: It’s a little computer. It’s a little Turing machine, the Turing complete machine.

Guest: So, like, I looked at the thing. I found enough to sit down, be like, that’s an l petter. Okay. I don’t know, because, like, I’ve done enough memory dumps to sit down, be like, okay, yeah, zero, zero. Okay, got it. There. I was just like, okay, that looks like, oh, okay, there. There’s multiple binaries that are in this.

I don’t have time for this shit. Yeah. And so, like, I. I throw it over the wall to a friend. I was like, I know it’s bad. I don’t have time for this. It’s like late October.

Deirdre: Yeah, yeah, yeah.

Guest: Or mid October. Like, it was getting. It was getting late in the season, and we had to, like, do a thing. And, yeah, it turns out if you look in October of 2016, Adobe has, like, eight Cve’s on one release. Two of them are, like, tens. No joke. This is as bad as it possibly could be. And I was legit to was like, that’s the one you found? I was like, cool, thanks.

Super props.

Deirdre: Shit.

David: Usually when I talk to people about securing an organization or running a security team or any form of security, I tell people not to worry about o days. I’m like, you need to sort out your ideas, identity, provider and your logins, and then, like, there’s a bunch of.

Guest: Other stuff to get through management. Do you know what you’re doing? Like, just authorization, credential tokens.

David: Yeah, exactly. But also this undertone of you’re just not fucking important enough for an ode most of the time.

Guest: Right?

David: And this is great advice until you suddenly become important enough to have a PDF that’s got, like, privilege escalation binaries embedded for five different operating systems inside of it.

Guest: And so.

David: What do you do about that? Is it just go after the fundamentals again? Because now you’re existing in the world that I tell people, most people, not to worry about.

Guest: Today, my biggest fear is mobile devices, laptops and computers, your windows, desktops, all this other stuff. This is garbage. No one cares. Again, I always say your EDR is not doing what you think it’s doing. It’s fine. But your mobile phone is doing everything that you think it’s doing. It is oauth credit into all of your life. And if you want to go from a place, that’s the place to go.

Do, hopefully the jails within the mobile devices jail correctly. But who knows? Pegasus is what I’m trying to say.

Thomas: You all talked a lot about 2016 and the experience of the campaign getting fished and all that. And then in 2018, part of the reaction to the experience in 2016 was a bunch of security people got together and did organized training for a bunch of congressional campaigns. I did a little bit of it. I did less than everybody else did, and there was a slack channel with a really big, long conversation about recommendations to give all the campaigns, and that kind of, that produced Mache’s tech solidarity congressional campaign list. And I’m curious, like, I’m curious what your take is on in 2024 versus where we were in 2018. So you just brought up mobile devices, right. Like, a really, a core recommendation on the tech solidarity list was get your shit off of laptops or whatever and move it onto your. And move it onto an iPhone.

I know, because the iPhone platform, I mean, there are. There are things where, like, you know, we can go back and forth on how campaigns operate, but from a computer science perspective, the iPhone is a safer platform. Oh, yeah. Than your laptop is. Right. So, like, yeah, I mean, that’s an interesting case there, right. Where, like, now in 2018, we also would have said you need to be, everybody on your campaign needs to be running a modern iPhone, right? Like, no and no Android.

Guest: No Android. But, like, Apple six are better at least, or. Yeah, iPhone six s are better, right? Right?

Thomas: And today you’d say, you know, whatever the phone within the last, I don’t know, four years or whatever from runs modern iOS, right?

Guest: I’m willing to sit down and say any phone that has a security enclave, you’re okay ish.

Thomas: One of the things that I feel like we ran into when we did trainings and just like, a thing that we learned from talking to people was it’s like there’s a perennial debate about Android versus iOS security. And at this point, like, I’ve given up on it, right? Like, it’s gotten too complicated for me to have any faith whatsoever in, like, whether I know what’s going on there or not. But the bigger, even back then, the bigger issue was if you tell people they can run Android phones, they’re going to run random ass best buy, you know, shitty Android phones.

Guest: Right? So, Timo.

Thomas: If you could just if you could just get people to say, if you could just get people on flagship phones, you’d be fine. But but now you’re explaining the concept of a flagship phone and in a campaign security context, it’s much it’s just much crisper to say, you know, get an iPhone or don’t. Don’t plug in.

Guest: That is mostly right, because today, an iPhone in lockdown mode, an iPad in lockdown mode, you’re pretty good. Things that I add to that is I also sit down and say, hey, we’re going to use iverify, which is a startup coming out of trail of bits guys. And it is not an MDM. It’s way better. It’s built to find things like Pegasus. It’s great. Use it. And the defending digital campaigns, folks, Michael Kaiser’s team, they’ve really made the ecosystem a lot better because the biggest problem with campaign finance in 2004 was that campaigns cannot get a deal from vendors.

Because if we get a deal from a vendor that other campaigns cannot get, that is an in kind contribution. Gross. I would sit down and work around this. I worked with lawyers to sit down and say, hey, if we get this vendor and they give us a discount, as long as they offer that discount to the other team, that’s kosher, right? And he’s like, that’s kosher.

Deirdre: Yeah.

Guest: I was like, okay, cool. That’s not any kind contribution, but they.

Deirdre: Have to take it, right?

Guest: Private company. What they do is what they do. I don’t know.

Deirdre: No, no, no. I mean, like, the other side. Like, if you got a deal offered to both of you, but only one of you took it, I don’t know, I’m not a lawyer anyway, but. Okay.

Guest: Yeah. So I’m, like, I verify here.

Thomas: It would be, like, the one possible exception to the uninstall all your EDR and antivirus stuff, which would have been a 2018 recommendation of ours. Yeah, for me, still, probably. But, like, I could, you know, and I verify. I verify is great. It seems fine to me.

Guest: Yeah. Yeah, it’s. It’s been.

David: Any notable EDR issues in the last month?

Deirdre: No, not at all. Yeah, no, it’s.

Guest: It’s.

Thomas: It’s. It’s pretty good stuff.

Guest: It’s. It’s August. Oh, wait, it’s still August.

Deirdre: Oh, still August.

Guest: It’s still August. The. The ecosystem has changed. It is different. Everyone is using cloud services. Very few people are doing things exclusively on their laptops, with some notable exceptions. And even then, those exceptions are going away.

Thomas: We were, like, generally, one of the things that flummoxed us was trying to figure out a way to get people not to double click on things you can take. First of all, I’m sure this is still good. You want to get people out of the habit of sending attachments in the first place, and instead just have them send links to gdocs or something like that in. Right. But, like, if they’re gonna. You can do the attachment thing if you, you know, copy the attachment out and upload it to Google Drive or something like that.

Deirdre: Right?

Thomas: Like, sure. Or if you do it in Gmail or if you’re doing it on your iPhone or whatever. Right. But the thing that’s really tricky is, like, getting normal people to understand not to. Like, we were to the point where we were talking about, like, distributing applications that would be the file handlers for those applications and just redirect them or whatever. I’m still like, I don’t know that there is a good answer on getting people not to double click things, which seems like a pretty big hole in the whole campaign security apparatus.

Guest: So one of the things I worked on recently was the office of the National Cyber Directorate has the cybersecurity Workforce Task force, and I was brought in to the White House to go read through some of their papers, give them feedback and input onto some. Some of the things. And the biggest problem that I identify is that information security today exists in the same kind of space that sex education existed in the 1950s. Right? It is mostly anecdotal. It is mostly peer kind of learnings from the age of. And this is my favorite thing to do is whenever my friends have kids, I sit down like, cool. Hey, when did you just give up and, like, give your kid your phone? When did the kid figure out your password or your unlock code to your phone? When did you give up and give them a tablet? And, like, when did they first install their own software on their own tablet? There’s like. Cause like, kids are doing this.

Deirdre: Oh, yeah.

Guest: And like, the olds like to sit down and talk about, like, digital natives and this and other, like, whatever. I just like to say, that’s 2024 and this is just life. And the norms that we have in the sort of tech business world is drive engagement, drive engagement. Drive engagement. Drive engagement. And, Tom, what you’re saying is, how do I stop double clicking? How do you stop people from sharing things on a thing and just randomly clicking on it? Because they saw, here’s a TikTok video, or at least a TikTok looking URL, and I’m just going to go, stop engaging, Thomas.

Deirdre: It’s just about not engaging when the entire Internet and the entire software ecosystem of your life is trying to get you to engage and has trained you to engage.

Guest: And so instead, we need to focus on those basics to make sure that some adequate system of controls do exist. But none of these controls exist for you and your personal account. And it hurts. Well, I mean, I mean, not really. Like, you can choose to sign up for app. You can choose to sign up for. Microsoft has the same thing, except they call it maps, so it’s Mapp. I mostly recommend folks work inside signal groups if they can.

I know a lot of folks still use wicker, which is. Sorry, it’s fine. It’s fine enough.

Deirdre: I know some good cryptographers that work for Wicker.

Guest: There’s some good work that’s been put into Wicker. Things I tell people not to use is things like wire and telegram and cyber, because that was like a thing for a half a second.

David: Definitely don’t use telegram in France.

Guest: No, yeah, don’t run telegram and go to France. I don’t know what to do about the idea of, like, please stop engaging with things because campaigns move extraordinarily fast. If you’re a low level staffer, you’re getting hammered by all kinds of bosses all the time. And bosses are sending stuff from their personals all the time. Well, less and less, but we know that it still happens.

Deirdre: Yep.

Guest: People are people, and then bosses are getting emails from everyone all the time because they’re bosses and they’re fancy. And how do you take some people who should be treated as a national security asset who is now a private civilian working with or volunteering with a campaign. How do we put adequate controls around those people? They need to take a personal interest in doing so. And many folks have. And 2024, that’s the biggest change. Am I saying that we’re good across the board? Well, definitely not. I would sit down and say that even in 2020, we had to explain to relatives and spouses of candidates. I was like, hi.

Yeah, we’re gonna, you know, hello, grandma. We’re gonna go through your. We’re gonna put some security controls on Facebook. They’re like, you can’t mess with Facebook because that’s where my grandkids are. I’m like, no, you’ll still have it. We’re just gonna lock down the thing. And then they say, well, I can’t see a post because you touched their Facebook account, and all of a sudden, the Facebook algorithm did something. And so that drives anything, any change.

Deirdre: Coincidental or not, is now your fault just because you touched it.

Guest: So that’s definitely a thing. And so humans being humans, Tom, what people do is they buy two phones, and then they’re like, I saw the problem. I have two phones. And now you have your campaign and work related BYOD device, and then you have your personal fun phone for, I guess, clash of kings or whatever game you want to sit down and play time.

Thomas: It was always the dream to get people to buy chromebooks for this, which was a pipe dream.

Guest: But we bought a lot of chromebooks in 2020, or the DNC bottle autogram books in 2020.

Deirdre: Do they get used? Yeah, I mean, like documents, Google Docs, whatever. The little thing.

Guest: There’s a wild market difference between the tooling that the different teams use. It’s weird, right? Dems are typically AWS, Linux, Mac shops, and the republican camp tends to be Office 365 with azure setups. And, yeah, it’s a market difference in tech. Now, I will say that there are some Dem committees that are also on office 365, but they also have to play with the Google workspaces stuff because everyone else is doing it. And they’ve decided we’re still sticking to this. And I mean, good for them. Because I will say that if you have the manpower to adequately administer an office 365 environment, Windows Defender is like a really amazingly good tool that’s remarkably cheap at. For what it does.

And if you pay for that e five license and you get all of your security telemetry and you have some thing that can ingest and digest that, and maybe you hire an MSP to create you some alerts. You’ll find stuff like, no doubt, cool, but in the individual campaign world, if you’re running for a senate, if you’re running for the House, if you’re running for, even for the White House, making sure that those equities to spend the money on security is hard. I know that this cycle, there are a lot of folks who are pushing elbows to make sure that that budget is there and doing stuff, and kudos to that. You might need to cut that. But the best part is that people are caring and people are noticing. Finding the right balance is hard. And, Tom, I do not know how you train everyone, because, again, the campaign is young and old. Right. It is digital, smart and digital, you know, less smart.

Thomas: It’d be big if true. If you didn’t know how to solve that problem.

Guest: Yeah. No, right. Cause, like, I don’t know. Like, it always comes back down to me, is like, there’s some set of liabilities that we’ve. That some set of companies have been able to, like, work around such that we’re in this world that we live. If it weren’t for Microsoft prioritizing API backwards compatibility and feature requests and features and building new features versus addressing tech debt and solving longstanding security problems, this entire strange ecosystem of stuff wouldn’t have to exist. And the problem is there’s a liability, right? Like, if they made a change to fix the thing, there’s a small chance that someone would sue them for fixing the thing. And so if the choice is do nothing, don’t get sued.

Do something, get sued, do nothing always wins. And maybe that’s a. That’s above my pay grade. That’s a policy discussion that needs to happen with some very serious thought leaders in suits. I don’t know. Not me.

Deirdre: What do you think about pass keys that can be synced?

Guest: I think that passkeys are. They’re a lot better than Yubikeys. So here’s the reason why they’re better than Yubikeys. In 2020, we gave out tons of these gb keys to campaigns, and I’m holding up my keychain of three different multi factor devices, and there’s actually five and six over there on my desk. The problem with this is that this isn’t the only device that you need to connect to that device. You also need a dongle to be able to make sure that it can talk the right usb to my device. And what happens is I got the key to the dongle. You don’t have the key.

And in 2020, the NFC stuff didn’t work really well. And all of that passkeys are better because users notice when they don’t have their phone anymore, users take action when their phone breaks.

Deirdre: Yeah.

Guest: They’re very self motivated in making sure that that device is like in their hands and working and the ecosystem.

Thomas: It feels like the distinction is not meaningful in a campaign setting. And I know, I know specific people who wildly disagree with me on this point. Right?

Guest: Yeah.

Thomas: But it seems like in the context of a campaign where the principal in the campaign is likely as not messaging the rest of the team or receiving messages from random personal accounts using whatever device was most quickly at hand for them. Right. Like just getting them onto some kind of phishing proof authentication is the top line thing you’re trying to get done. Right. And then like isolating the key onto bound hardware so they can’t be transferred or whatever, that’s a fun, like movie plot attack. And I’m sure that really that attack happens, but like the actual fruit for attackers is so much lower hanging in existing campaigns. Like why wouldn’t you just use the phone?

Guest: Yeah, and so the passkey becomes this extra fear factor that I have around the device. And yeah, all the keys are in the security enclave and you cannot get to them from any of the local non privileged API requests that you can do on the device to get there. But like right now the usability ain’t great. And the biggest problem with passkeys that I have found is that because the usability of the passkeys is sort of like being stuttered, rolled out account recovery becomes the hardest, becomes the easiest way to pop an account. Oh yeah, and like passkeys without advanced protection mode, account recovery is so like, hey, I’m sending you a text, right? I’m sending you a plain old SMS text. Did you get it? Cool, great. And I’m going to simjack your device and we’re off to the races. I don’t know if that attack is lie, but it’s a thing that I’ve 1000% thought about and have been able to pull off on myself and friends accounts to just test that theory.

Deirdre: And Google will nag you if you don’t have a recovery phone logged with them. You have to go out of your way to avoid the account recovery flow as a tac vector thing.

Guest: And it’s weird for me to sit down and say this, but maybe no account recovery.

Deirdre: And I completely understand why for a normal, for everyday user, they get locked out for whatever fucking reason I’ve gotten locked out in the distant past. But I know which of my Google accounts is the roots. And the other accounts, because all your.

Guest: Google accounts point at each other.

Deirdre: Yes. And other things, they failover to failover to recover, to recover to the one that doesn’t have any recovery flow. But Google, even with app, with every bells and whistles, every signal I can send to Google that this account is special and you should put me in the highest blah, blah, blah, they have all these other things that they’ll nag you to be like, you don’t have this and you don’t have that. You don’t want to not be able to recover your account. Like, no, that’s exactly what I want. This is the one that’s not recoverable.

Guest: And explaining that to a regular user sounds scary, right?

Deirdre: Yep.

Guest: Cause it’s scary to me. It’s not bad.

Deirdre: Oh, yeah. Yeah, this is. Yeah. That’s why that account has, like, several yubikeys, including one that’s in, like, a box that you, like, bury in the ground.

Guest: Like those ten backup account recovery passwords, right? Like, I had one person go, hey, Tim, like, re aws or GCP root account. Like, we did the thing and now we have these, like, these ten passwords, and these seem really powerful. I was like, oh, yeah, no, they’re super duper powerful. Like, what do I do with them? Do I just print them out and put them in the safe? I was like, there’s a fireproof. He’s like, maybe. I was like, trick question. No safe is really fireproof. You’ll just like, you’ll just make charcoal.

He’s like, what are you gonna do? I was like, legitimately. I’ve heard of teams that have taken those recovery count passwords and used a laser cutter in a piece of steel and cut that into a thing and then throw that into a safe and throw that safe into, I guess, the ocean or whatever. But this is not an okay thing for regular users. And I think that at the end of the day, attackers are lazy. Like they have and cheap and cheap. And, like, in the b team, they’re given, again, LinkedIn and WhatsApp and email addresses and maybe evil engine x and the s tier teams, they’re just doing stuff. And, like, if you can, and even if you bat away the b tier, the s tier is still going to come back. And if you are the target, and I’ve always said this to my users when I’ve done my security awareness trainings, which is like, if you are the target of a nation state attacker, like, you, your name, you yourself, you as a person, you’re kind of bumped.

There’s not. There’s a lot that we can do to delay them. There’s a lot we can do to get signals to see that something else is happening. But at the end of the day, what we’re going to rely on is we’re going to end up relying on the vendors to do what they can do. And that’s the right answer. We can’t make every user a security person. Right. We need to make a.

We need. I mean, I’m going to sound like chinese girly and put my hand. Fingers like this, but, like, secure by design is like, a thing that is a noble effort that is going to be implemented poorly because the equities are voluntary. Right. Like, there’s no mandate to have to do this. And even if you were told you have to do it, the secured by design paradigm is not like, I don’t know, like, you guys have probably had this same thing happen to you. A coder, a junior coder, comes up to you and goes, tim, tell me how to make code secure. Like, just whatever it is, how do I do it? I just.

I’ll just. I’ll do whatever it is that you say and I’ll just delete it. I’ll write secure code. Delete it?

David: Yeah. Why hadn’t we thought of making things.

Guest: Secure by default before?

David: I should have just been hitting the insecure button.

Guest: So I don’t know. I’ve been talking a lot, but, like, that’s. It’s. This industry is a hard industry because at the end, we don’t like us as the security team. We are either a cost center. Right. Or we are a pain in the neck to product PM’s.

Deirdre: Yeah.

David: Who here would be a product PM? I think on that note, I just want to go wrap up with one thing that you mentioned in terms of time dilation, which is we’re recording this on August 26. It was less than two months ago that Biden debated Trump.

Guest: Yeah. And then. So two months ago, Biden debated Trump. But to me, that feels like about three years ago. It also feels about two and a half years ago when Trump got shot. It feels like. It feels like probably definitely two years at this point when Kamala got. They switched up, switched up candidates.

David: It’s hard.

Guest: And we have 70 days to go.

Deirdre: 70 days to go.

David: Well, we appreciate you taking some time to talk to us.

Guest: Thanks, man.

Deirdre: Thank you so much. Godspeed to the end, to election day and beyond. Keep doing what you’re doing. Thanks for the stories.

Guest: This is fun. I appreciate you guys having me on your podcast.

Deirdre: Totally.

Security Cryptography Whatever is a side project from Deirdre Connolly, Thomas Ptacek, and David Adrian. Our editor is Nettie Smith. You can find the podcast online @scwpod and the hosts online @durumcrustulunm, @tqbf, and @davidcadrian. You can buy merch online at merch.securitycryptographywhitever.com. If you like the pod, you can give us a five star review wherever you get your podcasts. Thank you for listening.